The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation.
Vulnerabilities in the Mint WorkBench allow a low privileged attacker to create and write to a file anywhere on the file system as SYSTEM with arbitrary content as long as the file does not already exist. The Mint WorkBench installer file allows a low-privileged user to run a "repair" operation on the product
A vulnerability was found in Teradici Management Console 2.2.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Database Management. The manipulation leads to improper privilege management. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
A vulnerability has been identified in SINUMERIK MC (All versions < V1.15 SP1), SINUMERIK ONE (All versions < V6.15 SP1). The sc SUID binary on affected devices provides several commands that are used to execute system commands or modify system files. A specific set of operations using sc could allow local attackers to escalate their privileges to root.
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1.12 is able to address this issue. It is recommended to upgrade the affected component.
sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.
In FreeBSD 12.2-STABLE before r365767, 11.4-STABLE before r365769, 12.1-RELEASE before p10, 11.4-RELEASE before p4 and 11.3-RELEASE before p14 a number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.
Pritunl Client through 1.2.3019.52 on Windows allows local privilege escalation, related to an ACL entry for CREATOR OWNER in platform_windows.go.
Soapbox through 0.3.1: Sandbox bypass - runs a second instance of Soapbox within a sandboxed Soapbox.
Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. In addition, weak permissions in the ProgramData\CheckPoint\ZoneAlarm\Data\Updates directory allow a local attacker the ability to execute an arbitrary file write, leading to execution of code as local system, in ZoneAlarm versions before v15.8.211.192119
gksu-polkit: permissive PolicyKit policy configuration file allows privilege escalation
Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root but supports configuration options in which this file is owned by a non-root account (and similarly can have nagios.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account.
An Improper Access Control issue was discovered in Trihedral VTScada 11.3.03 and prior. A local, non-administrator user has privileges to read and write to the file system of the target machine.
In WelcomeActivity.java and related files, there is a possible permissions bypass due to a partially provisioned Device Policy Client. This could lead to local escalation of privilege, leaving an Admin app installed with no indication to the user, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-132261064
Windows Installer Elevation of Privilege Vulnerability
Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, 7.2.1.0 - 7.2.1.5, 7.2.0.x, and 7.1.1.x, a malicious compliance admin (compadmin) account user could exploit a vulnerability in isi_get_itrace or isi_get_profile maintenance scripts to run any shell script as system root on a cluster in compliance mode. This could potentially lead to an elevation of privilege for the compadmin user and violate compliance mode.
CA Automic Dollar Universe 5.3.3 contains a vulnerability, related to the uxdqmsrv binary being setuid root, that allows local attackers to elevate privileges. This vulnerability was reported to CA several years after CA Automic Dollar Universe 5.3.3 reached End of Life (EOL) status on April 1, 2015.
An issue was discovered in TitanHQ WebTitan before 5.18. It has a sudoers file that enables low-privilege users to execute a vast number of commands as root, including mv, chown, and chmod. This can be trivially exploited to gain root privileges by an attacker with access.
A Privilege Escalation vulnerability exists in the SDBagent service in Safend Data Protector Agent 3.4.5586.9772, which could let a local malicious user obtain privileges.
FastTrack Admin By Request 6.1.0.0 supports group policies that are supposed to allow only a select range of users to elevate to Administrator privilege at will. If a user does not have direct access to the elevation feature through group policies, they are prompted to enter a PIN code in a challenge-response manner upon attempting to elevate privileges. The challenge's response uses a simple algorithm that can be easily emulated via data (customer ID and device name) available to all users, and thus any user can elevate to Administrator privilege.
In Ivanti WorkSpace Control before 10.4.40.0, a user can elevate rights on the system by hijacking certain user registries. This is possible because pwrgrid.exe first checks the Current User registry hives (HKCU) when starting an application with elevated rights.
Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.
CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action. With only user-level access, a user can modify the backup plan and add a Pre backup action script that executes on behalf of NT AUTHORITY\SYSTEM.
ESET Cyber Security 6.7.900.0 for macOS allows a local attacker to execute unauthorized commands as root by abusing an undocumented feature in scheduled tasks.
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
During an internal product security audit a potential vulnerability due to use of Boot Services in the SmmOEMInt15 SMI handler was discovered in some ThinkPad models could be exploited by an attacker with elevated privileges that could allow for execution of code.
Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a root shell via vectors involving an exsh debug shell.
smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.
A potential vulnerability due to improper buffer validation in the SMI handler LenovoFlashDeviceInterface in Thinkpad X1 Fold Gen 1 could be exploited by an attacker with local access and elevated privileges to execute arbitrary code.
A vulnerability in Cisco SD-WAN Solution software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to gain root-level privileges.
The AX.25 daemon (ax25d) in ax25-tools before 0.0.8-13 does not check the return value of a setuid call. The setuid call is responsible for dropping privileges but if the call fails the daemon would continue to run with root privileges which can allow possible privilege escalation.
A local privilege escalation vulnerability in MA for Windows prior to 5.7.6 allows a local low privileged user to gain system privileges through running the repair functionality. Temporary file actions were performed on the local user's %TEMP% directory with System privileges through manipulation of symbolic links.
A Privilege Escalation vulnerability exists in the unquoted Service Binary in SDPAgent or SDBAgent in Safend Data Protector Agent 3.4.5586.9772, which could let a local malicious user obtain privileges.
A local privilege escalation vulnerability caused by incorrect permission assignment in some directories of the Zyxel AP Configurator (ZAC) version 1.1.4, which could allow an attacker to execute arbitrary code as a local administrator.
Incomplete fix for CVE-2021-3100. The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.
An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.
Incomplete fix for CVE-2021-3101. Hotdog, prior to v1.0.2, did not mimic the resource limits, device restrictions, or syscall filters of the target JVM process. This would allow a container to exhaust the resources of the host, modify devices, or make syscalls that would otherwise be blocked.
The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory.
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.
The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."
Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC Classic before 2015.006.30060, and Acrobat and Acrobat Reader DC Continuous before 2015.008.20082 on Windows and OS X allow attackers to bypass intended access restrictions and perform a transition from Low Integrity to Medium Integrity via unspecified vectors, a different vulnerability than CVE-2015-4446 and CVE-2015-5106.
A vulnerability in London Trust Media Private Internet Access (PIA) VPN Client v77 for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of access controls. The "Changelog" and "Help" options available from the system tray context menu spawn an elevated instance of the user's default web browser. An attacker could exploit this vulnerability by selecting "Run as Administrator" from the context menu of an executable file within the file browser of the spawned default web browser. This may allow the attacker to execute privileged commands on the targeted system.
A unnecessary privilege vulnerability in Trend Micro Apex One and Trend Micro Worry-Free Business Security 10.0 SP1 (on-prem versions only) could allow a local attacker to abuse an impersonation privilege and elevate to a higher level of privileges. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44021.
An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44020.
An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44020 and 44021.
Azure RTOS Elevation of Privilege Vulnerability